Well it seems I've found the problem.
Because the values for the fields where automatically produced by taking substrings of the names of an HTML form fields, one of the values was appearing as id (it can be seen in the echo I've posted bellow). The update as it seems, didn't fail but produced this unexpected behavior.
Thanks to all who tried to help and sorry for the stupid question.
After I execute an update statement like
UPDATE tablename SET field='value' WHERE field='value'
without ever touching my primary key, it change's value from what it was before to 0.
Any ideas?
MySQL Server version: 5.5.37-0+wheezy1
This is the code that generates the query
$query2 = "UPDATE student SET ";
foreach ($_POST as $the_key => $a_post_arg) {
if (strcmp($the_key, "student_password") === 0) {
//without activation
$a_post_arg = md5($a_post_arg);
//with activation
//$a_post_arg = "Not activated!";
}
if (strcmp($the_key, "student_registration_year") === 0)
$a_post_arg = $a_post_arg . "-00-00";
if (strcmp(substr($the_key, 0, 14), "student_stats_") === 0 || strcmp($the_key, "student_validationImageTextfield") === 0) {
$student_stats[$the_key] = $a_post_arg;
continue;
}
if (strcmp(substr($the_key, 0, 7), "student") === 0 && strcmp($the_key, "student_email_retype") !== 0 && strcmp($the_key, "student_password_retype") !== 0) {
if (strcmp($the_key, "student_email") !== 0) {
if (strcmp($the_key, "student_select_dept") === 0) {
$query2 .= "dept='" . addslashes($a_post_arg) . "', ";
} else if (strcmp($the_key, "student_semester") === 0) {
$query2 .= "studying_semester='" . addslashes($a_post_arg) . "', ";
} else if (strcmp($the_key, "student_father_name") === 0) {
$query2 .= "fathers_name='" . addslashes($a_post_arg) . "', ";
} else if (strcmp($the_key, "student_academic_id") === 0) {
$query2 .= "academicIDNumber='" . addslashes($a_post_arg) . "', ";
} else {
$query2 .= substr($the_key, 8) . "='" . addslashes($a_post_arg) . "', ";
}
}
}
}
$query2 .= "status='registered' WHERE email='" . $_POST['student_email'] . "';";
This is an echo of $query2. The PK for the table is the auto increment field id and the email field.
query 2 = UPDATE student SET name='Όνομα', surname='Επώνυμο', dob='1970-09-09',
fathers_name='Ονοματεπώνυμο πατέρα', mother_name='Ονοματεπώνυμο μητέρας',
nationality='Υπηκοότητα', adt='Α.Δ.Τ.', password='0cc175b9c0f1b6a831c399e269772661',
dept='biology', id='Αριθμός μητρώου', studying_semester='6', registration_year='2001-00-00',
atlas_id='1234', academicIDNumber='123456789012', perm_address_road='Οδός',
perm_address_number='Αριθμός', perm_address_area='Περιοχή/Πόλη', perm_address_PObox='Τ.Κ.',
perm_address_Country='Χώρα', study_address_road='Οδός', study_address_number='Αριθμός',
study_address_area='Περιοχή/Πόλη', study_address_PObox='Τ.Κ.', study_address_Country='Χώρα',
telephone='+305555555555', cellphone='+305555555555', fax='+305555555555', afm='Α.Φ.Μ.',
eforia='Δ.Ο.Υ.', amka='Α.Μ.Κ.Α.', amika='Α.Μ.ΙΚΑ', status='registered' WHERE email='20#send.com';
Related
This code down here should search database. but I am getting error that my table doesnt exists. And also I want to ask why if I push second time submit button it just jumps to else so it echo choose at least.... and also all data from database. Thanks!
Here is php
if (isset($_POST['submit'])) {
$query = 'SELECT * FROM station_tab';
if (!empty($_POST['station_name']) && !empty($_POST['city']) && !empty($_POST['zone']))
{
$query .= 'WHERE station_name' .mysql_real_escape_string($_POST['station_name']) . 'AND city' . mysql_real_escape_string($_POST['city']) . 'AND zone' . mysql_real_escape_string($_POST['zone']);
} elseif (!empty($_POST['station_name'])) {
$query .= 'WHERE station_name' . mysql_real_escape_string($_POST['station_name']);
} elseif (!empty($_POST['city'])) {
$query .= 'WHERE city' . mysql_real_escape_string($_POST['city']);
} elseif (!empty($_POST['zone'])) {
$query .= 'WHERE zone' . mysql_real_escape_string($_POST['zone']);
} else {
echo "Choose at least one option for search";
}
$result = mysql_query($query, $db) or die(mysql_error($db));
if (mysql_num_rows($result) > 0) {
while ($row = mysql_fetch_array($result)){
echo '<br/><em>' .$row['station_name'] . '</em>';
echo '<br/>city: '. $row['city'];
echo '<br/> zone: ' .$row['zone'];
echo '<br/> Long: ' .$row['lon'];
echo '<br/> Lat: ' . $row['lat'];
}
}
}
here is error message when I add name of the city to city.
Table 'stanice_tab.station_tabwhere' doesn't exist
Here is your corrected code:
$query = 'SELECT * FROM station_tab '; // note the space at the end
if (!empty($_POST['station_name']) && !empty($_POST['city']) && !empty($_POST['zone'])) {
$query .= ' WHERE station_name = "' .mysql_real_escape_string($_POST['station_name']) . '" AND city = "' . mysql_real_escape_string($_POST['city']) . '" AND zone = "' . mysql_real_escape_string($_POST['zone']).'"'; // note the = signs and the space before each AND
} elseif (!empty($_POST['station_name'])) {
$query .= ' WHERE station_name = "' . mysql_real_escape_string($_POST['station_name']).'"'; // note the = sign and the space at the beginning
} elseif (!empty($_POST['city'])) {
$query .= ' WHERE city = "' . mysql_real_escape_string($_POST['city']).'"'; // note the = sign and the space at the beginning
} elseif (!empty($_POST['zone'])) {
$query .= ' WHERE zone = "' . mysql_real_escape_string($_POST['zone']).'"'; // note the = sign and the space at the beginning
} else {
echo "Choose at least one option for search";
}
Take the habit of echoing your $query variable so concatenation does not add any typo mistakes.
in phpmyadmin select the database and then select your table
and in menu above there is a sql menu. you can use this functionality to construct sql queries or debug when there are errors like this
I Am trying to check if the REF number added when creating a new mysql row is already in use. I don't have problems in adding a new row however, the script does not check the database first.
if ($_POST['add_new_bus']){
if (($_POST['add_ref'] != "")&&($_POST['add_name'] != "")&&($_POST['add_address'] != "")&&($_POST['add_area'] != "")){
$add_ref = $_POST['add_ref'];
$add_name = $_POST['add_name'];
$add_address = $_POST['add_address'];
$add_area = $_POST['add_area'];
$chech_sql = "INSERT INTO `Details` (`REF`) VALUES ('$add_ref')";
if (!($conn->query($chech_sql))) {
echo "REF is already in use";
}else{
mysqli_query($conn, "INSERT INTO `Details` (`REF`, `NAME`, `ADDRESS`, `AREA`) VALUES ('$add_ref', '$add_name', '$add_address', '$add_area')");
echo "<p style='float:right;'>" . $_POST['add_name'] . " " . "has been added to the register with REF number:" . " " . $_POST['add_ref'] . "</p>";
}
}
Any Idea how to check if the REF number is already in use?
For giving you a correct idea how to do it, Please check below code:-
<?php
if (isset($_POST['add_new_bus']){
if (($_POST['add_ref'] != "") &&($_POST['add_name'] != "")&&($_POST['add_address'] != "")&&($_POST['add_area'] != "")){
$add_ref = $_POST['add_ref'];
$add_name = $_POST['add_name'];
$add_address = $_POST['add_address'];
$add_area = $_POST['add_area'];
$chech_sql = "SELECT add_ref FROM Details WHERE add_ref = '".$add_ref."'";
$result = $conn->query($chech_sql);
if (mysqli_num_rows($result) > 0) {
echo "REF is already in use";
}else{
mysqli_query($conn, "INSERT INTO `Details` (`REF`, `NAME`, `ADDRESS`, `AREA`) VALUES ('$add_ref', '$add_name', '$add_address', '$add_area')");
echo "<p style='float:right;'>" . $_POST['add_name'] . " " . "has been added to the register with REF number:" . " " . $_POST['add_ref'] . "</p>";
}
}
}
?>
Note:- checking variables value and other things is up to you. because you only have them in your code.thanks.
I'm using SensioLabsInsight to profile any vulnerabilities in my code.
I've received several errors for possible sql injection, and it recommends using parameter binding with PDO. This is fine since I'm already using PDO for my db driver.
Right now my model is passed a $data array and then checks for specific values in the array in order to add to the sql query if present, like so:
public function getDownloads($data = array()) {
$sql = "
SELECT *
FROM {$this->db->prefix}download d
LEFT JOIN {$this->db->prefix}download_description dd
ON (d.download_id = dd.download_id)
WHERE dd.language_id = '" . (int)$this->config->get('config_language_id') . "'";
if (!empty($data['filter_name'])) {
$sql .= " AND dd.name LIKE '" . $this->db->escape($data['filter_name']) . "%'";
}
$sort_data = array(
'dd.name',
'd.remaining'
);
if (isset($data['sort']) && in_array($data['sort'], $sort_data)) {
$sql .= " ORDER BY " . $data['sort'];
} else {
$sql .= " ORDER BY dd.name";
}
if (isset($data['order']) && ($data['order'] == 'DESC')) {
$sql .= " DESC";
} else {
$sql .= " ASC";
}
if (isset($data['start']) || isset($data['limit'])) {
if ($data['start'] < 0) {
$data['start'] = 0;
}
if ($data['limit'] < 1) {
$data['limit'] = 20;
}
$sql .= " LIMIT " . (int)$data['start'] . "," . (int)$data['limit'];
}
$query = $this->db->query($sql);
return $query->rows;
}
The error referenced from the SensioLabsInsight analysis references only the $data['sort'] clause as being a possible injection point.
My question is, do I need to test for $data array presence when creating a prepare statement, or will it simply return null if the array value is empty.
My proposed new query with parameter binding would look like so:
public function getDownloads($data = array()) {
$sql = "
SELECT *
FROM {$this->db->prefix}download d
LEFT JOIN {$this->db->prefix}download_description dd
ON (d.download_id = dd.download_id)
WHERE dd.language_id = '" . (int)$this->config->get('config_language_id') . "'";
if (!empty($data['filter_name'])) {
$sql .= " AND dd.name LIKE :filter_name%";
}
$sort_data = array(
'dd.name',
'd.remaining'
);
if (isset($data['sort']) && in_array($data['sort'], $sort_data)) {
$sql .= " ORDER BY :sort";
} else {
$sql .= " ORDER BY dd.name";
}
if (isset($data['order']) && ($data['order'] == 'DESC')) {
$sql .= " DESC";
} else {
$sql .= " ASC";
}
if (isset($data['start']) || isset($data['limit'])) {
if ($data['start'] < 0) {
$data['start'] = 0;
}
if ($data['limit'] < 1) {
$data['limit'] = 20;
}
$sql .= " LIMIT :start, :limit";
}
$this->db->prepare($sql);
$this->db->bindParam(':filter_name', $data['filter_name']);
$this->db->bindParam(':sort', $data['sort']);
$this->db->bindParam(':start', $data['start'], PDO::PARAM_INT);
$this->db->bindParam(':limit', $data['limit'], PDO::PARAM_INT);
$query = $this->db->execute();
return $query->rows;
}
Will this work as is, or do the parameter bindings need to be moved within the if/else conditionals?
I'm having a syntax issue with this bit of code:
$query = "SELECT *
FROM ".$db->nameQuote('#__mls')."
WHERE 1=1"
. if ($zip != null)
{ AND ".$db->nameQuote('MSTZIP')." = ".$db->quote($zip)."}
. if ($city != null)
{ AND ".$db->nameQuote('MSTCITY')." = '".$db->quote($city)."'}
. if ($bdrms != null)
{ AND ".$db->nameQuote('MSTBDRMS')." >= ".$db->quote($bdrms)."}
. if ($bths != null)
{ AND ".$db->nameQuote('MSTBATHS')." >= ".$db->quote($bths)."}
. if ($lprice != null)
{ AND ".$db->nameQuote('MSTLISTPRC')." BETWEEN ".$db->quote($lprice)." AND ".$db->quote($hprice)."}
";"
;
First string " starts the query statement, second " layer assigns the table, when the WHERE statement, then it gets tricky. All the if statements are messing with me. I feel like that's where a " is getting misplaced or missing.
Utterly broken beyond belief. Try something more like this:
$query = "SELECT * FROM " . $db->nameQuote('#__mls') . " WHERE 1=1";
$clauses = array();
if ($zip != null) {
$clauses[] = $db->nameQuote('MSTZIP') . " = " . $db->quote($zip);
}
if (etc...) {
...
}
$query .= implode(' AND ', $clauses);
echo $query;
Before every AND you are missing " , you need to build your query in different manner (please double check every ' I am sure I missed few somewhere)
$query = "SELECT *
FROM ".$db->nameQuote('#__mls')."
WHERE 1=1";
if ($zip != null)
{ $query .= " AND ".$db->nameQuote('MSTZIP')." = '".$db->quote($zip)."'";}
if ($city != null)
{$query .= " AND ".$db->nameQuote('MSTCITY')." = '".$db->quote($city)."'";}
if ($bdrms != null)
{$query .= " AND ".$db->nameQuote('MSTBDRMS')." >= '".$db->quote($bdrms)."'";}
if ($bths != null)
{$query .= " AND ".$db->nameQuote('MSTBATHS')." >= '".$db->quote($bths)."'";}
if ($lprice != null)
{$query .= " AND ".$db->nameQuote('MSTLISTPRC')." BETWEEN '".$db->quote($lprice)." AND ".$db->quote($hprice).";}
;
I need to save the values from my dynamic textbox in different tables at the same time. Can someone help me do this? I have 4 tables that needs to be filled. This is my tables and its fields:
table1
- desk_id
- desk_user
- desk_report
- desk_action
table2
- print_id
- print_brand
- print_model
- print_report
- print_action
table3
- tel_id
- tel_local
- tel_user
- tel_report
- tel_action
table4
- remarks_id
- remarks
My PHP code:
<?php
$con = mysql_connect ("localhost","root","nasi") or die
('cannot connect to database error: '.mysql_error());
if (isset($_POST['desk_user']) &&
isset($_POST['desk_report']) &&
isset($_POST['desk_action']) &&
isset($_POST['print_brand']) &&
isset($_POST['print_model']) &&
isset($_POST['print_report']) &&
isset($_POST['print_action']) &&
isset($_POST['tel_local']) &&
isset($_POST['tel_user']) &&
isset($_POST['tel_report']) &&
isset($_POST['tel_action']) &&
isset($_POST['remarks']))
{
$desk_user = $_POST['desk_user'];
$desk_report = $_POST['desk_report'];
$desk_action = $_POST['desk_action'];
$print_brand = $_POST['print_brand'];
$print_model = $_POST['print_model'];
$print_report = $_POST['print_report'];
$print_action = $_POST['print_action'];
$tel_local = $_POST['tel_local'];
$tel_user = $_POST['tel_user'];
$tel_report = $_POST['tel_report'];
$tel_action = $_POST['tel_action'];
$remarks = $_POST['remarks'];
if (!empty($desk_user)&& !empty($desk_report)&& !empty($desk_action) && !empty($print_brand) && !empty($print_model) && !empty($print_report) && !empty($print_action) && !empty($tel_local) && !empty($tel_user) && !empty($tel_report) && !empty($tel_action) && !empty($remarks)) {
mysql_select_db("csr", $con);
$queries = array();
for($i=0; $i<count($desk_user || $print_brand || $tel_local || $remarks); $i++)
{
$queries [] = "('" .$desk_user [$i ] . "', '" .$desk_report [$i ] . "', '" .$desk_action [$i ] . "')" ;
$queries1 [] = "( '" .$print_brand [$i ] . "', '" .$print_model [$i ] . "', '" .$print_report [$i ] . "', '" .$print_action [$i ] . "')" ;
$queries2 [] = "('" .$tel_local [$i ] . "', '" .$tel_user [$i ] . "', '" .$tel_report [$i ] . "', '" .$tel_action [$i ] . "')" ;
$queries3 [] = "('" .$remarks [$i ] . "')" ;
}
if(count($queries) == 0)
{
# Nothing passed
# exit
}
$query = "insert into desktoplaptop (desk_user, desk_report, desk_action tel_local) values " . implode(", ", $queries) ;
$query1 = "insert into printer (print_brand, print_model, print_report, print_action) values " . implode(", ", $queries1) ;
$query2 = "insert into tel (tel_user, tel_report, tel_action) values " . implode(", ", $queries2) ;
$query3 = "insert into remarks (remarks) values " . implode(", ", $queries3) ;
if ($sql_run = mysql_query($query) || $sql_run = mysql_query($query1) || $sql_run = mysql_query($query2) || $sql_run = mysql_query($query3)) {
echo 'ok.';
}
else {
echo '*Sorry, we couldn\'t register you at this time. Try again later.';
}
}
}
?>
If there are four tables, there needs to be a unique INSERT statement for each one. With the code you provided, you only name one table: desktoplaptop
If there actually are four unique tables as suggested by your list above, you will need to write a unique INSERT statement which refers to each table's schema.
For example:
$queries = array();
if(!empty($desk_user)) {
$queries[] = "INSERT into desktop (desk_user, desk_report, desk_action) VALUES ('" . $desk_user . "', '" .$desk_report . "', '" . $desk_action . "')'";
}
repeat for other 3 tables
foreach($queries as $query) {
if ($sql_run = mysql_query($query)) {
echo 'ok.';
} else {
echo '*Sorry, we couldn\'t register you at this time. Try again later.';
}
}
Note that if you are taking input from a web form, you will also want to mysql_escape_string() each $_POST variable to prevent injection. In addition, it seems you are using the count() function incorrectly-- you are passing it a Boolean expression when it expects an array. Overall I would suggest taking another look over exactly how your code operates.
Do four INSERT as a loop?
$query[0] = "INSERT INTO TABLE1 (...) VALUES (...)";
$query[1] = "INSERT INTO TABLE2 (...) VALUES (...)";
//etc...
foreach ($query as $x)
{
if ($sql_run = mysql_query($x)) {
echo 'ok.';
} else {
echo '*Sorry, we couldn\'t register you at this time. Try again later.';
}
}